MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 f03e44339ccec266337496169d478be9683f0a6057d58697d2942a52aebbf7b1. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 7


Intelligence 7 IOCs YARA 3 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: f03e44339ccec266337496169d478be9683f0a6057d58697d2942a52aebbf7b1
SHA3-384 hash: 6eea184f9c761086d1c7c8b28a072d6da060a3309f8bacb320dd9fdb0e640fbc67e4bc787979962be5fb9aecd8a7ccc7
SHA1 hash: 07a18ecc412f8ef692bcedf7941823f26c12719e
MD5 hash: 61f052c62cc122aae331317e493275bc
humanhash: freddie-magazine-pennsylvania-july
File name:61f052c62cc122aae331317e493275bc.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:1'064'448 bytes
First seen:2021-07-01 09:55:09 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'740 x AgentTesla, 19'600 x Formbook, 12'241 x SnakeKeylogger)
ssdeep 24576:Z/shGI02qw0UUgOZ/jnmmZ+zX5KZE7jpqRLlXRJG3:ZUhGI02FmHZ2+TxXTG
Threatray 13 similar samples on MalwareBazaar
TLSH 5E3523382AFD226DC37A673B10F0711ADB7D6773B91BC22A24A5454E45C7A40CAF127E
Reporter abuse_ch
Tags:exe RedLineStealer

Intelligence

File Origin
# of uploads :
1
# of downloads :
105
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
61f052c62cc122aae331317e493275bc.exe
Verdict:
Malicious activity
Analysis date:
2021-07-01 09:56:57 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/36ae9094-4139-4785-bdb6-19bd75fbab5e

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/169097/
Detection(s):
SecuriteInfo.com.Trojan.PackedNET.900-1.UNOFFICIAL
Create hunting rule

Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
njRAT
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/180fe388-df7c-44be-be4e-012c8c233a6d
Result
Threat name:
Unknown
Detection:
malicious
Classification:
evad
Score:
92 / 100
Link:
https://www.joesandbox.com/analysis/810452
Signature
.NET source code contains very large strings
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Tries to delay execution (extensive OutputDebugStringW loop)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/f03e44339ccec266337496169d478be9683f0a6057d58697d2942a52aebbf7b1/
Threat name:
ByteCode-MSIL.Backdoor.Androm
Create hunting rule
Status:
Malicious
First seen:
2021-07-01 05:41:49 UTC
AV detection:
10 of 46 (21.74%)
Threat level:
  5/5
Verdict:
unknown
Similar samples:
1b9bb1e946bfa8aedec8483a97b8abc7bac0da1e58150d23b2c0473aa1095782
RedLineStealer
21fdc7575a436316c0235f3240191d0e4773e8a54d1d088c76cfab7c705bb0fb
RedLineStealer
42d293cf86f774218bf7751f1001e0a57883a1c7c90c6c1e8803a061094860cf
RedLineStealer
6830905eba294273b6b4dd27f4e8670d4c05013d85e88df7db1b99d42619f0f6
RedLineStealer
788c6cb2d98c6b7a40318a4293bdf24001940fe44a750f37fc30733739efffc2
RedLineStealer
9e537b12c49cb2567b23a965f83695bc071b684c81edb5fadf1b24909f24b3e9
RedLineStealer
a8d0378ee4cf93deecfd4a82a95707443de28c6ec719a6ffa840182ddf7d18c3
RedLineStealer
a98ba3cb7eb936b7edcf60262bb5b78f8584af2f7b41423a62f291c804ef9252
RedLineStealer
c57956ac3cb0ec921a56c3c3a75a16fd0b8cc0b4fa25e7444aadefa9868af9ae
RedLineStealer
e945bb8adf04184220759eee4322100778cbe096875c8cb0d21ee7d01d36e457
RedLineStealer
+ 3 additional samples on MalwareBazaar
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/210701-dya85r71l2/
Behaviour
Creates scheduled task(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Suspicious use of SetThreadContext
Unpacked files
SH256 hash:
5a13c2c65d8ed4492a9552686ffeaa7413b2455ad912409071b925a12840dfa4
MD5 hash:
6e6965f021bac1a12ac9d9cdb7c26748
SHA1 hash:
a1c3267f12d595dc400e38a6fa8b2e30d646b30d
Link:
https://www.unpac.me/results/0e4b6bb0-9f50-411b-9f32-6ef3142867b9/
SH256 hash:
5bede9eedf6ae6df5a9d587c116c9583b31474c159c2b53486b000093cb3fde6
MD5 hash:
072eeac61b35d3f09edee4ff4f80f52d
SHA1 hash:
696fd9905a47e526470c2e234fef32f1ec1b74ad
Link:
https://www.unpac.me/results/0e4b6bb0-9f50-411b-9f32-6ef3142867b9/
SH256 hash:
620c40b984d06321f89694ff3f321f68eccdbaee8ba0318703bdd77cffa66720
MD5 hash:
887c550e89918fd830b3f68557f40310
SHA1 hash:
2e3ba5c49f88696dfbf635fd14aa4702941d618d
Link:
https://www.unpac.me/results/0e4b6bb0-9f50-411b-9f32-6ef3142867b9/
SH256 hash:
f03e44339ccec266337496169d478be9683f0a6057d58697d2942a52aebbf7b1
MD5 hash:
61f052c62cc122aae331317e493275bc
SHA1 hash:
07a18ecc412f8ef692bcedf7941823f26c12719e
Link:
https://www.unpac.me/results/0e4b6bb0-9f50-411b-9f32-6ef3142867b9/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/f03e44339ccec266337496169d478be9683f0a6057d58697d2942a52aebbf7b1

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

RedLineStealer

Executable exe f03e44339ccec266337496169d478be9683f0a6057d58697d2942a52aebbf7b1

(this sample)

Cape
Cape
https://www.capesandbox.com/analysis/169097/
  
URLhaus
https://urlhaus.abuse.ch/url/1398042/
  
Delivery method
Distributed via web download

Comments